Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

Privacy in 2017 – From Challenges to Opportunities

shutterstock_506487853After all of the 2016 drama, the start of a brand new year is a welcome development in itself – a clean sheet for a script yet to be written.  However, 2017 will not be without challenges and the same applies to the world of privacy and data protection.  Many of the big issues that arose during 2016 will need to be addressed in 2017.  In addition, new questions will no doubt emerge.  Here is an overview of the privacy challenges that lie ahead and what can be done about them.

Continue Reading

Posted in International/EU Privacy

Russia Releases 2017 Data Privacy Inspection Plans; Microsoft Passes 2016 Inspection

shutterstock_366140141At the end of 2016, territorial divisions of the Russian Data Protection Authority, Roskomnadzor, published their 2017 plans for conducting inspections of local companies’ compliance with Russian data privacy requirements, including data localization. The inspection plans contain a number of prominent multi-national and Russian companies.

Continue Reading

Posted in International/EU Privacy, News & Events

University Panthéon-Assas (Paris II) and Hogan Lovells Launch a Data Protection Officer Degree

Blog imageOn January 5, 2017 Paris Law School Panthéon-Assas launched its first university degree (diplôme d’université) aimed at training future Data Protection Officers (DPOs) under the new European General Data Protection Regulation (GDPR), which becomes effective across the EU on May 25th, 2018.  Created by Paris University Professor Bénédicte Fauvarque-Cosson and Hogan Lovells partner Winston Maxwell, the new program will include courses in law, cybersecurity, data analytics, management and ethics.  The faculty will include professors from various law schools, as well as practicing DPOs, information security specialists, lawyers and regulators from the CNIL (the French data protection authority), and major companies including Sanofi, Renault, GE, Axa, Lagardère, Google, Microsoft, Schneider Electric, BNP Paribas and the Banque Postale.

Speaking at the opening ceremony, Professor Fauvarque-Cosson commented: “This is an exciting time because data protection law is being created before our eyes.  The new European regulation is just the start.”  Winston Maxwell underlined the difficulties of the DPO role under the GDPR: “The DPO is an important management position, but it will not be easy.”

Information about the new program is available here.

To see Professor Fauvarque-Cosson’s and Winston Maxwell’s video, click here.

Posted in International/EU Privacy

New Notice and Consent Rules under Proposed EU e-Privacy Regulation

shutterstock_419561389The European Commission has released its proposal for a new EU e-Privacy Regulation that will replace the existing e-Privacy Directive.  The high level aim of the draft e-Privacy Regulation is to harmonise the specific privacy framework relating to electronic communications within the EU and ensure consistency with the GDPR. Compared to the existing Directive, the draft e-Privacy Regulation has broader territorial reach and applies generally to the provision of electronic communications services to end users in the EU and to the use of such services.  It is also concerned with the protection of information related to the devices of end users located in the EU.

In this particular respect, the draft e-Privacy Regulation introduces revised and complex rules affecting end users’ terminal equipment and how data is collected in that context.  Our high level assessment of the notice and consent requirements affecting various data activities involving users’ devices can be found here.

The consequences for non-compliance follow a two-tier approach as follows:

  • Breaches of the rules regarding notice and consent, default privacy settings, publicly available directories and unsolicited communications may be punished with fines of up to EUR 10 million or 2% of the total worldwide annual turnover, whichever is higher.
  • Breaches of the rules regarding the confidentiality of communications, permitted processing of electronic communications data and the time limits for erasure of data may be punished with fines of up to EUR 20 million or 4% of the total worldwide annual turnover, whichever is higher.

This is the beginning of the formal legislative process and now the draft is in the hands of the European Parliament and the Council of the EU.

Sam Choi, a trainee solicitor in our London office, contributed to this entry.

Posted in News & Events

Privacy and Cybersecurity January 2017 Events

Please join us for our January 2017 Privacy and Cybersecurity Events.

January 11
Japan’s 2017 Data Privacy and Tech Agenda
Julie Brill and Harriet Pearson will host a presentation by two of Japan’s most senior officials and authorities on recent changes to Japan’s privacy law and the establishment of a new Personal Information Protection Commission (PPC). Yoshikazu Okamoto, Director of the PPC Secretariat, will present on the mission and agenda of the PPC, the requirements and implementation timeline of the new law, and Japan’s international engagement on these issues. Professor Fumio Shimpo of Keio University, a noted expert on Japanese privacy and technology law and policy, will add his perspectives on legal and policy aspects of the Internet of Things, artificial intelligence, and robotics. Click here to register for the event.
Location: Hogan Lovells’ office in Washington, D.C.


January 25
Computers, Privacy & Data Protection
Julie Brill and Eduardo Ustaran will speak at the CPDP Conference. Julie will speak on “AI & GDPR: Concretely, What Are the Obligations & Steps to Take?” and Eduardo on “Implementing the Data Protection Regulation.”
Location: Brussels, Belgium


January 31-February 1
GDPRnow: A Practical Guide to Implementing the GDPR
Hogan Lovells will be hosting GDPRnow, two half-day events that will feature speakers from our global Privacy and Cybersecurity practice and Helen Dixon, the Irish Data Protection Commissioner. GDPRnow will offer expert and practical guidance on how to prepare for the GDPR. Hogan Lovells speakers include: Julie Brill and Bret Cohen (Washington, D.C.), Joke Bodewits (Amsterdam), Gonzalo Gállego (Madrid), Marcus Schreibauer (Düsseldorf), Stefan Schuppert (Munich), and Eduardo Ustaran (London).
Location: Hogan Lovells’ offices in Washington, D.C. and New York


Posted in Cybersecurity & Data Breaches

New York Department of Financial Services Cybersecurity Rules Revised and Delayed

shutterstock_71527090The New York Department of Financial Services (NYDFS) just issued major revisions to the cybersecurity regulations for financial institutions that were due to come into effect on January 1, 2017. To allow covered institutions more time to implement the rules, the effective date will now be March 1, 2017, with a series of staggered implementation dates beyond this. There are several notable substantive changes in the revised rules.

Click here to learn more about the major changes to the proposed rules, timing and implementation details, and how to prepare for the new requirements as well as other related cybersecurity developments.

For more details on the NYDFS cybersecurity regulations for financial institutions, please see our previous blog post.

Posted in International/EU Privacy

UK Department for Transport Launches Consultation on Regulations for Civil Drone Usage

shutterstock_371800750The 2016 holiday gift guides have heavily featured consumer drones; as such, it is not unfeasible that you or someone you know will receive a drone in the coming weeks.  In anticipation of that happy event, on 21 December the UK Department for Transport gave its own gift: a consultation paper on ensuring the safe use of drones, to help the UK to tap into this growing market.

Continue Reading

Posted in International/EU Privacy

The CJEU Gives the UK Government Another Brexit Dilemma

shutterstock_442032913In yet another key case dealing with the balance between citizens’ privacy and the ability of the state to intrude into it, the Court of Justice of the European Union (CJEU) has ruled on the compatibility with European Union law of legislation that authorises the retention of communications data, which includes personal data. The reference from the UK Court of Appeal resulted from a challenge to the Data Retention and Investigatory Powers Act 2014 (DRIPA) brought by individuals that include Tom Watson, deputy leader of the Labour Party and represented by Liberty. Interveners include the Law Society of England and Wales, the Open Rights Group, and Privacy International.

The CJEU considered the compatibility of such legislation with the e-Privacy Directive, Articles 7 and 8 of the Charter of Fundamental Rights of the European Union—which protect private and family life and personal data respectively—and its previous decision in C-293/12 Digital Rights Ireland—which invalidated the Data Retention Directive.

Continue Reading

Posted in International/EU Privacy

European Commission Outlines Data Sharing Strategy for Connected Vehicles

shutterstock_94246042Connected vehicles today are rolling computers able to exchange information wirelessly with manufacturers, other vehicles, and third party service providers to significantly improve safety, efficiency, and comfort for drivers.  Many entities are interested in the data these connected vehicles generate and transmit.  These entities include dealers and repair shops, vehicle fleet service providers, end-users, infrastructure operators, diagnostics providers, researchers, financial services companies and insurance companies.  The European Commission and industry actors in Europe, while recognizing the challenges of wide-spread deployment of these technologies, have taken further steps to develop a regime that facilitates information sharing for vehicle to vehicle, vehicle to infrastructure and other communications by delineating specific actions to take in the near future. Continue Reading

Posted in International/EU Privacy

Triple GDPR Guidance Issued by Article 29 Working Party

EU-flag-map-No one could accuse the EU Article 29 Working Party (WP29) of not delivering as promised.  Following its recently held December plenary meeting, the WP29 has released three separate guidelines with their interpretation of some key aspects of the General Data Protection Regulation, namely:

  • data portability,
  • data protection officers (DPOs), and
  • lead supervisory authorities.

At the same time, the WP29 has confirmed its role as the “EU centralised body” for handling individual complaints under the Privacy Shield and the re-establishment of its enforcement subgroup in charge of coordinating cross-border enforcement actions. Continue Reading